Credential REST Reference

/credential

Methods
GET

Gets the list of Credentials.

Fields Parameter
 Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

NOTE: 'typeFields' returns type-specific parameters inside of a 'typeFields." It does not consider authType, privilegeEscalation, or dbType. If requested, typeFields returns as follows:

type"database": login, password, sid, port, authType, dbType, oracleAuthType, oracle_service_type,SQLServerAuthType,vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, vault_address, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase
type"ssh": 
authType, username, password, publicKey, privateKey, passphrase, kdc_ip, kdc_port, kdc_protocol, kdc_realm, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, vault_address, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase, thycotic_secret_name, thycotic_url, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_private_key, thycotic_ssl_verify, privilegeEscalation, escalationUsername, escalationPassword, escalationSuUser, escalationPath
type"snmp": communityString
type"windows": authType, username, password, domain, kdc_ip, kdc_port, kdc_protocol, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, thycotic_secret_name, thycotic_url, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_ssl_verify

Allowed Fields

*id
**name
**description
**type
creator
target
groups

typeFields
tags
createdTime
modifiedTime
canUse
canManage 

Session user role not "1" (Administrator)

owner
ownerGroup
targetGroup

Legend

* = always comes back

** = comes back if fields list not specified on GET all

Request Parameters

None

Filter Parameters

usable - The response will be an object containing an array of usable Credentials. By default, both usable and manageable objects are returned.
manageable - The response will be an object containing all manageable Credentials. By default, both usable and manageable objects are returned.

Example Response
 Expand
{
	"type" : "regular",
	"response" : {
		"usable" : [
			{
				"id" : "1000001",
				"name" : "Test",
				"description" : "",
				"type" : "ssh"
			},
			{
				"id" : "1000002",
				"name" : "test",
				"description" : "",
				"type" : "ssh"
			}
		],
		"manageable" : [
			{
				"id" : "1000001",
				"name" : "Test",
				"description" : "",
				"type" : "ssh"
			},
			{
				"id" : "1000002",
				"name" : "test",
				"description" : "",
				"type" : "ssh"
			}
		]
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1408719365
}

 

POST

Adds a Credential.

Request Parameters
 Expand
{
	"name" : <string>,
	"tags" : <string> DEFAULT "",
	"description" : <string> DEFAULT "",
	"type" : <string> "database" | "windows" | "snmp" | "ssh"
	...
}

type is "database"

{
	...
	"login" : <string>,	
	"sid" : <string> DEFAULT "",
	"authType" : <string>,


	authType "password"
	-------------------
	"password" : <string>,
	"port" : <string> (valid port number),
	
	authType "cyberark"
	------------------
	"vault_host" : <string> (valid IP or IP host),
	"vault_port" : <string> (valid port number),
	"vault_username" : <string> DEFAULT "",
	"vault_password" : <string> DEFAULT "",
	"vault_cyberark_url" : <string> DEFAULT "",
	"vault_safe" : <string>,
	"vault_app_id" : <string>,
	"vault_policy_id" : <string> DEFAULT "",
	"vault_folder" : <string>,
	"vault_use_ssl" : <string> "false" | "true",
	"vault_verify_ssl" : <string> "false" | "true",
	"vault_address" : <string> DEFAULT "",
	"vault_account_name" : <string>,
	"vault_cyberark_client_cert" : <string>,
	"vault_cyberark_private_key" : <string>,
	"vault_cyberark_private_key_passphrase" : <string>,
	"dbType" : <string>,
	
	dbType "Oracle"
	---------------
	"OracleAuthType" : <string>,
	"oracle_service_type" : <string>,
	dbType "Oracle"
	dbType "SQ: Server"
	-------------------
	"SQLServerAuthType" : <string>,
}

type is "ssh"

{
	...
	"username" : <string>,
	"authType" : <string> "certificate" | "cyberark" | "kerberos" | "password" | "publickey" | "thycotic"
	
	authType "certificate"
	---------------
	"publicKey" : <string>,
	"privateKey" : <string>,
	"passphrase" : <string> DEFAULT "",
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login"
	
	authType "cyberark"
	-------------------
	"vault_host" : <string> (valid IP or IP host),
	"vault_port" : <string> (valid port number),
	"vault_username" : <string> DEFAULT "",
	"vault_password" : <string> DEFAULT "",
	"vault_cyberark_url" : <string> DEFAULT "",
	"vault_safe" : <string>,
	"vault_app_id" : <string>,
	"vault_policy_id" : <string> DEFAULT "",
	"vault_folder" : <string>,
	"vault_use_ssl" : <string> "false" | "true",
	"vault_verify_ssl" : <string> "false" | "true",
	"vault_address" : <string> DEFAULT "",
	"vault_account_name" : <string>,
	"vault_cyberark_client_cert" : <string>,
	"vault_cyberark_private_key" : <string>,
	"vault_cyberark_private_key_passphrase" : <string>,
	"privilegeEscalation" : <string> "none" DEFAULT "none"
	
	authType "kerberos"
	-------------------
	"password" : <string>,
	"kdc_ip" : <string> (valid IP address),
	"kdc_port" : <string> (valid port number),
	"kdc_protocol" : <string>,
	"kdc_realm" : <string>,
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login"
	
	authType "password"
	-------------------
	"password" : <string>,
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login"
	
	authType "publickey"
	--------------------
	"privateKey" : <string>,
	"passphrase" : <string> DEFAULT "",
	"privilegeEscalation" : <string> "none" | "su" | "sudo" | "su+sudo" | "dzdo" | "pbrun" | "cisco" | ".k5login"
	
	authType "thycotic"
	--------------------
	"thycotic_secret_name" : <string>,
	"thycotic_url" : <string>,
	"thycotic_username" : <string>,
	"thycotic_password" : <string>,
	"thycotic_organization" : <string> DEFAULT "",
	"thycotic_domain" : <string> DEFAULT "",
	"thycotic_private_key " : <string> "no" | "yes",
	"thycotic_ssl_verify" : <string> "no" | "yes",
	"privilegeEscalation" : <string> "none" DEFAULT "none"
	
	privilegeEscalation ".k5login"
	-----------------------------
	"escalationUsername" : <string>
	
	privilegeEscalation "cisco"
	---------------------------
	"escalationPassword" : <string>
	
	privilegeEscalation "dzdo" and authType "certificate"
	-----------------------------------------------
	"escalationUsername" : <string> DEFAULT "",
	"escalationPassword" : <string> DEFAULT "",
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "dzdo" and authType "certificate"
	-----------------------------------------------
	"escalationUsername" : <string>,
	"escalationPassword" : <string>,
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "pbrun"
	---------------------------
	"escalationPassword" : <string>,
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "su+sudo"
	-----------------------------
	"escalationSuUser" : <string>,
	"escalationUsername" : <string> DEFAULT "",
	"escalationPassword" : <string> DEFAULT "",
	"escalationPath" : <string> DEFAULT ""
	
	privilegeEscalation "su" | "sudo"
	---------------------------------
	"escalationUsername" : <string> DEFAULT "",
	"escalationPassword" : <string> DEFAULT "",
	"escalationPath" : <string> DEFAULT ""
}

type is "snmp"

{
	...
	"communityString" : <string>
}

type is "windows"

{
	...
	"username" : <string>,
	"authType" : <string> "cyberark" | "kerberos" | "lm" | "ntlm" | "password" | "thycotic",
	
	authType "cyberark"
	-------------------
	"domain" : <string> DEFAULT "",
	"vault_host" : <string> (valid IP or IP host),
	"vault_port" : <string> (valid port number),
	"vault_username" : <string> DEFAULT "",
	"vault_password" : <string> DEFAULT "",
	"vault_cyberark_url" : <string> DEFAULT "",
	"vault_safe" : <string>,
	"vault_app_id" : <string>,
	"vault_policy_id" : <string> DEFAULT "",
	"vault_folder" : <string>,
	"vault_use_ssl" : <string>,
	"vault_verify_ssl" : <string>,
	"vault_account_name" : <string>,
	"vault_cyberark_client_cert" : <string>,
	"vault_cyberark_private_key" : <string>,
	"vault_cyberark_private_key_passphrase" : <string>,
	
	authType "kerberos"
	-------------------
	"password" : <string>,
	"kdc_ip" : <string> (valid IP address),
	"kdc_port" : <string> (valid port number),
	"kdc_protocol" : <string>,
	"kdc_realm" : <string>
	
	authType "lm" | "ntlm" | "password"
	-----------------------------------
	"password" : <string>,
	"domain" : <string> DEFAULT ""
	
	authType "thycotic"
	-------------------
	"domain" : <string> DEFAULT "",
	"thycotic_secret_name" : <string>,
	"thycotic_url" : <string>,
	"thycotic_username" : <string>,
	"thycotic_password" : <string>,
	"thycotic_organization" : <string> DEFAULT "",
	"thycotic_domain" : <string> DEFAULT "",
	"thycotic_ssl_verify" : <string> "no" | "yes"
	"privilegeEscalation" : <string> "none" DEFAULT "none"
}
Example Response
 Expand
{
	"type" : "regular",
	"response" : {
		"id" : "1000009",
		"type" : "database",
		"name" : "'database' Test PATCH",
		"description" : "Manually inputted in data for use in testing",
		"tags" : "",
		"createdTime" : "1433187223",
		"modifiedTime" : "1433265608",
		"typeFields" : {
			"login" : "test",
			"password" : "SET",
			"sid" : "",
			"port" : "49",
			"dbType" : "Oracle",
			"oracleAuthType" : "test",
			"SQLServerAuthType" : ""
		},
		"groups" : [],
		"canUse" : "true",
		"canManage" : "true",
		"creator" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"owner" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1433279057
}

/credential/{id}

Methods
GET

Gets the Credential associated with {id}.

Fields Parameter
 Expand

The fields parameter should be specified along the query string, and it takes the syntax

    ?fields=<field>,...

NOTE: 'typeFields' returns type-specific parameters inside of a 'typeFields." It does not consider authType, privilegeEscalation, or dbType. If requested, typeFields returns as follows:

type"database": login, password, sid, port, dbType, oracleAuthType, oracle_service_type, SQLServerAuthType, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, vault_address, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase
type"ssh": 
authType, username, password, publicKey, privateKey, passphrase, kdc_ip, kdc_port, kdc_protocol, kdc_realm, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, vault_address, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase, thycotic_secret_name, thycotic_url, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_private_key, thycotic_ssl_verify, privilegeEscalation, escalationUsername, escalationPassword, escalationSuUser, escalationPath
type"snmp": communityString
type"windows": authType, username, password, domain, kdc_ip, kdc_port, kdc_protocol, vault_host, vault_port, vault_username, vault_password, vault_cyberark_url, vault_safe, vault_app_id, vault_folder, vault_use_ssl, vault_verify_ssl, thycotic_secret_name, thycotic_url, vault_account_name, vault_cyberark_client_cert, vault_cyberark_private_key, vault_cyberark_private_key_passphrase, thycotic_username, thycotic_password, thycotic_organization, thycotic_domain, thycotic_ssl_verify

Allowed Fields

*id
**name
**description
**type
creator
groups

target
typeFields
tags
createdTime
modifiedTime
canUse
canManage

Session user role not "1" (Administrator)

owner
ownerGroup
targetGroup

Legend

* = always comes back

** = comes back if fields list not specified on GET all

Request Parameters

None

Example Response
 Expand
{
	"type" : "regular",
	"response" : {
		"id" : "1000009",
		"type" : "database",
		"name" : "'database' Test PATCH",
		"description" : "Manually inputted in data for use in testing",
		"tags" : "",
		"createdTime" : "1433187223",
		"modifiedTime" : "1433265608",
		"typeFields" : {
			"login" : "test",
			"password" : "SET",
			"sid" : "",
			"port" : "49",
			"dbType" : "Oracle",
			"oracleAuthType" : "test",
			"SQLServerAuthType" : ""
		},
		"groups" : [],
		"canUse" : "true",
		"canManage" : "true",
		"creator" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"owner" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1433279057
}

PATCH

Edits the Credential associated with {id}, changing only the passed in fields.

Request Parameters

Note #1: A Credential's 'type' parameter may not be modified, but 'authType' may be modified.

Note #2: When a Credential's authType, dbType, or privilegeEscalation parameters are modified, the parameters that no longer apply will be cleared by default.

Parameters that still may apply, however, are maintained by default. Either may be passed to override default, though fields that no longer apply would give an error.

i.e. If privilegeEscalation is modified from 'su' to 'pbrun', both 'escalationPassword', and 'escalationPath' apply and will be maintained. The escalationUsername parameter no longer applies, however, and will be cleared.

Note #3: When a password field is saved, the response will be a string "SET". During PATCH, however, "SET" should not be passed back, or it will be considered to be the new password.

(All fields are optional)

See for parameters.

Example Response
See

DELETE

Deletes the Credential associated with {id}, depending on access and permissions.

Request Parameters

None

Example Response
 Expand
{
	"type" : "regular",
	"response" : "",
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1408723358
}

/credential/{id}/share

Methods
POST

Shares the Credential associated with {id}, depending on access and permissions.

Note: Admin users cannot share credentials. Application credentials cannot be shared.

Request Parameters
 Expand
{
	"groups" : [
		{
			"id" : <number>
		}...
	]
}
Example Response
 Expand
{
	"type" : "regular",
	"response" : {
		"id" : "1000002",
		"creatorID" : "1",
		"ownerID" : "1",
		"type" : "kerberos",
		"name" : "test",
		"description" : "",
		"tags" : "",
		"createdTime" : "1407871560",
		"modifiedTime" : "1407871560",
		"ownerGID" : "0",
		"targetGID" : "-1",
		"ip" : "192.168.1.145",
		"port" : "1",
		"protocol" : "stuff",
		"realm" : "stuff",
		"canUse" : "true",
		"canManage" : "true",
		"creator" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"owner" : {
			"id" : "1",
			"username" : "head",
			"firstname" : "Security Manager",
			"lastname" : ""
		},
		"ownerGroup" : {
			"id" : "0",
			"name" : "Full Access",
			"description" : "Full Access group"
		},
		"targetGroup" : {
			"id" : -1,
			"name" : "",
			"description" : ""
		}
	},
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1409082841
}

/credential/tag

Methods
GET

Gets the full list of unique Credential tags

Note: Organization user responses will contain both organization and admin policy tags. Admin user responses will contain only admin policy tags.

Request Parameters

none

Example Response
 Expand
{
	"type" : "regular",
	"response" : [
		"Tag1",
		"Tag2",
		"Tag3"
	],
	"error_code" : 0,
	"error_msg" : "",
	"warnings" : [],
	"timestamp" : 1461093219
}